lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250620054757.1006729-1-naoyatezuka@chromium.org>
Date: Fri, 20 Jun 2025 14:47:57 +0900
From: Naoya Tezuka <naoyatezuka@...omium.org>
To: Kees Cook <kees@...nel.org>,
	Tony Luck <tony.luck@...el.com>,
	"Guilherme G . Piccoli" <gpiccoli@...lia.com>
Cc: Tzung-Bi Shih <tzungbi@...nel.org>,
	linux-hardening@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Naoya Tezuka <naoyatezuka@...omium.org>
Subject: [PATCH] pstore/ram: Validate ECC parameters against Reed-Solomon constraint

The Reed-Solomon library enforces the constraint `n <= 2^m - 1` via a
BUG_ON(), where `n` is `block_size + ecc_size` and `m` is `symsize` for
the pstore RAM backend. A driver providing invalid parameters can trigger
this, leading to a kernel panic. For more details on the theory behind:
https://www.cs.cmu.edu/~guyb/realworld/reedsolomon/reed_solomon_codes.html

This issue was discovered during develop chromeos_pstore driver:
https://lore.kernel.org/lkml/20250610050458.4014083-1-naoyatezuka@chromium.org/

Add a check to validate this constraint before initializing Reed-Solomon
codec. On failure, return -EINVAL to prevent the panic.

Signed-off-by: Naoya Tezuka <naoyatezuka@...omium.org>
---
 fs/pstore/ram_core.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index f1848cdd6d34..c7a2ff9c5a6c 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -212,6 +212,14 @@ static int persistent_ram_init_ecc(struct persistent_ram_zone *prz,
 		return -EINVAL;
 	}
 
+	if (prz->ecc_info.block_size + prz->ecc_info.ecc_size >
+	    (1 << prz->ecc_info.symsize) - 1) {
+		pr_err("%s: invalid ecc parameters (block_size = %d, ecc_size = %d, symsize = %d\n",
+		       __func__, prz->ecc_info.block_size,
+		       prz->ecc_info.ecc_size, prz->ecc_info.symsize);
+		return -EINVAL;
+	}
+
 	prz->buffer_size -= ecc_total;
 	prz->par_buffer = buffer->data + prz->buffer_size;
 	prz->par_header = prz->par_buffer +
-- 
2.50.0.rc2.701.gf1e915cc24-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ